Slide Note
0 likes | 13 Views
Delve into the world of post-quantum cryptography, specifically lattice-based (LWE) methods, as expert Neal Koblitz questions the security of RSA and ECC against quantum threats. Explore the endorsements of NIST, gaps in proof of security, and the potential of hybrid LWE-ECC cryptography as a quantum-resistant alternative.
E N D
Vietnam Institute for Advanced Study in Mathematics 7 December 2023 Is Lattice-Based Post-Quantum Cryptography Secure? Neal Koblitz, koblitz@uw.edu University of Washington, Seattle
Outline of Talk ● During my visit in 2018 I gave reasons for skepticism about predictions of successful quantum attacks on RSA and Elliptic Curve Cryptography (ECC) any time soon.
Outline of Talk ● During my visit in 2018 I gave reasons for skepticism about predictions of successful quantum attacks on RSA and Elliptic Curve Cryptography (ECC) any time soon. ● What is lattice-based (LWE) post-quantum cryptography? Why did the U.S. government agency NIST endorse it? .
Outline of Talk ● During my visit in 2018 I gave reasons for skepticism about predictions of successful quantum attacks on RSA and Elliptic Curve Cryptography (ECC) any time soon. ● What is lattice-based (LWE) post-quantum cryptography? Why did the U.S. government agency NIST endorse it? ● The “mathematical proof” of its security — gaps and fallacies.
Outline of Talk ● During my visit in 2018 I gave reasons for skepticism about predictions of successful quantum attacks on RSA and Elliptic Curve Cryptography (ECC) any time soon. ● What is lattice-based (LWE) post-quantum cryptography? Why did the U.S. government agency NIST endorse it? ● The “mathematical proof” of its security — gaps and fallacies. ● An alternative: hybrid LWE-ECC cryptography.
1. Quantum Computation Exponentially faster than classical computation:
1. Quantum Computation Exponentially faster than classical computation: classical — acts on n-bitstrings, that is, elements of an n- dimensional vector space over F2
1. Quantum Computation Exponentially faster than classical computation: classical — acts on n-bitstrings, that is, elements of an n- dimensional vector space over F2 quantum — acts on elements of a 2n-dimensional vector space over C; the absolute value squared of each complex component is the probability that the corresponding bitstring will be observed
Reasons to doubt that quantum computing can be carried out on a large scale in the near (or medium) future:
Reasons to doubt that quantum computing can be carried out on a large scale in the near (or medium) future: 1. Huge technical obstacles to scaling: noise and instability — “quantum decoherence”.
Reasons to doubt that quantum computing can be carried out on a large scale in the near (or medium) future: 1. Huge technical obstacles to scaling: noise and instability — “quantum decoherence”. 2. No way is known to store data within a quantum system; this greatly limits the types of problems that can be solved and also greatly reduces the financial incentive to continue investing large sums of money in it.
Reasons to doubt that quantum computing can be carried out on a large scale in the near (or medium) future: 1. Huge technical obstacles to scaling: noise and instability — “quantum decoherence”. 2. No way is known to store data within a quantum system; this greatly limits the types of problems that can be solved and also greatly reduces the financial incentive to continue investing large sums of money in it. 3. Over the 2 or 3 decades that large sums of money have been devoted to research and development of quantum computation, progress has been very slow, much slower than initially predicted.
4. Science fiction writers and others who write about future technology have a poor record. For example, the writers of mid-20thcentury
4. Science fiction writers and others who write about future technology have a poor record. For example, the writers of mid-20thcentury failed to predict: email, the Internet, personal computers, smart phones, or social media
4. Science fiction writers and others who write about future technology have a poor record. For example, the writers of mid-20thcentury failed to predict: email, the Internet, personal computers, smart phones, or social media incorrectly predicted: human exploration of other planets, widespread supersonic passenger transportation, nuclear powered cars and home appliances
Advances in technology do not always live up to expectations.
Advances in technology do not always live up to expectations. 1957 — Soviet Union launches Sputnik, 1stsatellite
Advances in technology do not always live up to expectations. 1957 — Soviet Union launches Sputnik, 1stsatellite 1961 — Soviet astronaut Uri Gagarin, 1st human to orbit Earth
Advances in technology do not always live up to expectations. 1957 — Soviet Union launches Sputnik, 1stsatellite 1961 — Soviet astronaut Uri Gagarin, 1st human to orbit Earth 1969 — American astronaut Neil Armstrong, 1sthuman on the Moon
Advances in technology do not always live up to expectations. 1957 — Soviet Union launches Sputnik, 1stsatellite 1961 — Soviet astronaut Uri Gagarin, 1st human to orbit Earth 1969 — American astronaut Neil Armstrong, 1sthuman on the Moon 1972 - present — no human goes beyond Earth orbit
Advances in technology do not always live up to expectations. 1957 — Soviet Union launches Sputnik, 1stsatellite 1961 — Soviet astronaut Uri Gagarin, 1st human to orbit Earth 1969 — American astronaut Neil Armstrong, 1sthuman on the Moon 1972 - present — no human goes beyond Earth orbit 2023 — goal of NASA and the space agencies of several other countries is to send a human to the moon again
There is no urgency in transitioning to “quantum-safe” cryptography. We have many years — enough time to do it carefully.
There is no urgency in transitioning to “quantum-safe” cryptography. We have many years — enough time to do it carefully. What about the possibility that currently encrypted secrets are being stored by adversaries and criminals, who are waiting until quantum computers can break the encryption?
There is no urgency in transitioning to “quantum-safe” cryptography. We have many years — enough time to do it carefully. What about the possibility that currently encrypted secrets are being stored by adversaries and criminals, who are waiting until quantum computers can break the encryption? We should ask: What needs to be secret even decades from now? Not cryptography used for digital signatures, access codes, hiding credit card numbers, etc.
In practice, relatively little needs to remain secret for 30 or 40 years.
In practice, relatively little needs to remain secret for 30 or 40 years. Most of that should in any case be protected by a layer of private key encryption, such as AES at high security levels, which is believed to be secure even against quantum computation.
In practice, relatively little needs to remain secret for 30 or 40 years. Most of that should in any case be protected by a layer of private key encryption, such as AES at high security levels, which is believed to be secure even against quantum computation. Identifying those super-secret messages that need extra protection, and then putting on AES (with a key exchange that does not rely on RSA or ECC security) is easier and less risky than transitioning to a completely new kind of encryption.
To those who argue for quick adoption of lattice-based post-quantum cryptography I respond: How can we be sure that a system of data protection that has not been extensively tested or used will be secure and protect that super-secret encrypted data for 30 or 40 years?
To those who argue for quick adoption of lattice-based post-quantum cryptography I respond: How can we be sure that a system of data protection that has not been extensively tested or used will be secure and protect that super-secret encrypted data for 30 or 40 years? As I will show, the so-called “guarantees” of the security of lattice-based cryptography that come from purely mathematical arguments are invalid.
To those who argue for quick adoption of lattice-based post-quantum cryptography I respond: How can we be sure that a system of data protection that has not been extensively tested or used will be secure and protect that super-secret encrypted data for 30 or 40 years? As I will show, the so-called “guarantees” of the security of lattice-based cryptography that come from purely mathematical arguments are invalid. They guarantee nothing.
Last year the U.S. government agency National Institute of Standards and Technology (NIST) recommended a transition from RSA and ECC to certain lattice-based cryptosystems. The agency expressed confidence in their security.
Last year the U.S. government agency National Institute of Standards and Technology (NIST) recommended a transition from RSA and ECC to certain lattice-based cryptosystems. The agency expressed confidence in their security. Lattice-based cryptography is much more complicated than RSA or ECC. It’s more difficult to achieve confidence in the security of a complicated system than in a simpler one.
The conjecturally hard computational problems that the security of the most important public key cryptosystems rely on:
The conjecturally hard computational problems that the security of the most important public key cryptosystems rely on: RSA: integer factorization (given N=pq, find p and q).
The conjecturally hard computational problems that the security of the most important public key cryptosystems rely on: RSA: integer factorization (given N=pq, find p and q). ECC: elliptic curve discrete logarithm (given points P and Q with Q a multiple of P, find k such that Q=kP).
The conjecturally hard computational problems that the security of the most important public key cryptosystems rely on: RSA: integer factorization (given N=pq, find p and q). ECC: elliptic curve discrete logarithm (given points P and Q with Q a multiple of P, find k such that Q=kP). Lattice-based: “learning with errors” (LWE) — essentially a linear algebra problem where the vector of constants contains a random error according to a certain error distribution.
To be more precise, I’ll describe the example of an LWE-based bit-encryption system that was proposed in an important early article by Oded Regev in 2009.
To be more precise, I’ll describe the example of an LWE-based bit-encryption system that was proposed in an important early article by Oded Regev in 2009. ● n ≈ 1024 ● n2 < p < 2n2 is a prime ● m ≈ (1+ε) n log p ● χ is a (Gaussian) probability distribution on Z/pZ
● the secret key: a random element s in (Z/pZ)n ● the public key: (a,b)=(ai , bi)i=1,…,m , where the vectors aiin (Z/pZ)n(the rows of an m x n matrix) are chosen randomly and bi = ˂ai, s˃ + eiwith the eiin Z/pZ chosen randomly according to the distribution χ.
● the secret key: a random element s in (Z/pZ)n ● the public key: (a,b)=(ai , bi)i=1,…,m , where the vectors aiin (Z/pZ)n(the rows of an m x n matrix) are chosen randomly and bi = ˂ai, s˃ + eiwith the eiin Z/pZ chosen randomly according to the distribution χ. That is, the vector b in (Z/pZ)mis the result of applying the matrix a to the vector s followed by a perturbation by the error vector e.
● to encrypt a bit: randomly choose a subset S in {1,…,m}; the bit 0 is encrypted as (∑i ɛ S ai , ∑i ɛ Sbi), and the bit 1 is encrypted as (∑i ɛ Sai , (p ̶ 1)/2 + ∑i ɛ Sbi).
● to encrypt a bit: randomly choose a subset S in {1,…,m}; the bit 0 is encrypted as (∑i ɛ S ai , ∑i ɛ Sbi), and the bit 1 is encrypted as (∑i ɛ Sai , (p ̶ 1)/2 + ∑i ɛ Sbi). ● to decrypt: (a, b) decrypts to the bit 0 if the difference b ̶ <a, s> modulo p is closer to 0 than to (p – 1)/2; otherwise, (a, b) decrypts to the bit 1.
Both the integer factorization problem that RSA is based on and the elliptic curve discrete logarithm problem that ECC is based on have “stood the test of time.”
Both the integer factorization problem that RSA is based on and the elliptic curve discrete logarithm problem that ECC is based on have “stood the test of time.” That is, since the 1980s they have survived many attempts to find algorithms that will — within a reasonable amount of time — solve the cases of the problems that arise in cryptography.
Both the integer factorization problem that RSA is based on and the elliptic curve discrete logarithm problem that ECC is based on have “stood the test of time.” That is, since the 1980s they have survived many attempts to find algorithms that will — within a reasonable amount of time — solve the cases of the problems that arise in cryptography. However, we do not have much direct evidence that LWE is intractable, that is, that the learning with errors problems that occur in trying to break an LWE-based cryptosystem in practice are too difficult to solve now or in the near future.
For this reason the promoters and advocates for LWE-based cryptography take a theoretical approach, making their case for security by proving reduction theorems that relate the hardness of LWE to that of a well-known classical problem that has been studied for much longer than LWE.
For this reason the promoters and advocates for LWE-based cryptography take a theoretical approach, making their case for security by proving reduction theorems that relate the hardness of LWE to that of a well-known classical problem that has been studied for much longer than LWE. By “reducing” a computational problem P to a problem Q, we mean constructing an algorithm that, given a Q-solver (that finds solutions to Q) and some input to the problem P, can efficiently (counting the time needed to run the Q-solver as one unit of time) solve the problem P.
Some well-known examples: 1. The problem of solving quadratic equations reduces to finding square roots.
Some well-known examples: 1. The problem of solving quadratic equations reduces to finding square roots. 2. The problem of finding square roots modulo an integer N reduces to factoring N into prime factors.
